Allow accounts to configure authentication requirements for its members (BB-9610)

For companies it is important that employees use reasonable password management practices. We can advice people on this, but experience shows that most do not take action because better security is always considered a hassle.

When using hosted services like BitBucket, there is no way whatsoever to enforce or review such password management practices.

It would be great if accounts could be configured to:

a) Require two factor authentication (obviously this depends on the two factor issue)
b) Require the use of SSH or single-sign-on, so disallowing any access using passwords.

Implementing such security policies would make BitBucket more appealing for commercial companies to use for private repository hosting and can differentiate BitBucket from other options.

Comments (15)

Allow accounts to configure authentication requirements for its members

Teams cannot make changes to the personal accounts of the users it has added to its groups. Now what might be a possibility is for a team to then refuse service to any member who doesn't have 2-factor auth configured.

a) Require two factor authentication (obviously this depends on the two factor issue)

Indeed.

b) Require the use of SSH or single-sign-on, so disallowing any access using passwords.

I don't think I see how this would improve security in any way.

If the assumption is that some users use bad passwords that can be guessed/hacked, then limiting team access to SSH only wouldn't solve anything. The hacker with the password can now simply go into the account and add an extra SSH key and clone whatever the user account has access to.

Let's see if we can make this issue more concrete. We already have that 2-factor issue, so what specifically would you like to see us add?

1) Only allow members to be part of a team if they have two-factor authentication enabled. This has a dependency on the two-factor issue, but is a separate item in the sense that teams currently cannot have any requirements on the account configuration of the team members (notice that we do not want to configure the personal account, we just want to disallow team membership).

2) Two-factor authentication could be considered a bit redundant with SSO options, since the usual SSO options already support two-factor authentication. The point is here that currently using SSO does not enhance security, because the account can still be accessed using the normal password. I'm suggesting that it would be useful for people to disable password authentication on their account. If such an option would be there, then that would be another useful requirements company teams might impose on their members. SSO cannot be used for command-line checkouts though, so SSH would be needed. If login with passwords is disabled, then SSH keys cannot be added.

If you think these might suggestions should be separated, then I can make separate issues.

If we can make this issue really concrete, it will help internal review and scheduling.

How about:

Allow users to disable password-based authentication schemes for anything other than login.

Also have two-factor auth in place to limit damage from leaked passwords.

Then allow teams to refuse access to members that don't have password-based authentication disabled.

To be able to clone repos, members will have to use SSH, or a future, unsigned token-based scheme.

FWIW, we are currently working on integrating Bitbucket with Atlassian ID (http://id.atlassian.com) which will provide SSO and in due time also add support for two-factor auth and so that would cover the first bit of these requirements.

I note that the JIRA authentication can be used for other Atlassian services, and that allows for the enforcement of strong passwords. Is Bitbucket so separate an entity that the same can't be done - i.e. Use the JIRA login for Bitbucket?

We've discussed these suggestions internally, but realized that we won't be able to tackle all of them in any reasonable timeframe.

As mentioned, we are currently working on integrating Bitbucket with Atlassian ID which will basically give us half of what you are suggesting. In fact, Altassian ID does implement strict password strength and force regular password changes.

For now I'll close this issue as wontfix, considering the Atlassian ID integration will fix most of it and possible even make the remaining issues redundant.